# D31eg4t3

## Idea

The challenge contract does delegatecall on `address(msg.sender)`, which is user-controlled:

```solidity
    function hackMe(bytes calldata bites) public returns(bool, bytes memory) {
        (bool r, bytes memory msge) = address(msg.sender).delegatecall(bites);
        return (r, msge);
    }
```

The other function uses the `onlyOwner` modifier:

```solidity
    function hacked() public onlyOwner{
        canYouHackMe[msg.sender] = true;
    }
```

However, there is no way to bypass this thing:

```solidity
    modifier onlyOwner {
        require(false, "Not a Owner");
        _;
    }
```

But we can modify storage slots directly via the delegatecall. Recall that delegatecall is like calling a library function, the state changes are made in the caller's context instead of callee's.

## PoC

{% embed url="<https://github.com/ret2basic/QuillCTF-PoC/blob/main/D31eg4t3/test/D31eg4t3.t.sol>" %}
D31eg4t3 - PoC
{% endembed %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ret2basic.gitbook.io/ctfwriteup/web3-ctf/quillctf/d31eg4t3.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.